OPERATIONAL RISK

PREPARED BY :- DR GUNJAN BAHETI

INTRODUCTION

The role of operational risk in the 2007/2008 financial crisis is explored. The
factors that gave rise to the crisis are examined and it is found that although the
event is largely regarded as a credit crisis, operational risk factors played a
significant role in fuelling its duration and severity. It is concluded that, from an
operational risk perspective, 2008 was the worst on record. Considering the
extensive role of operational risk in global financial calamities, suggestions are
made to improve the management of this risk type.

MEANING

The Basel II definition of operational risk is the risk of loss resulting from
inadequate or failed internal processes, people and systems or from external
events (BCBS, 2006). This definition excludes strategic and reputational risk,
but includes legal risk. Note that operational risk typically deals with losses
only, unlike market risk which consider the upside (profit) as well.

SEVEN TYPES OF OPERATIONAL RISK PROJECTED BY

BASEL II

 Internal fraud – Acts of fraud committed internally in an organization

go against its interest. Losses can result from intent to defraud, tax non-
compliance, misappropriation of assets, forgery, bribes, deliberate
mismarking of positions and theft.
 External fraud – External frauds are activities committed by third parties.
Theft, cheque fraud, and breaching the system security like hacking or
acquiring unauthorized information are the frequently encountered practices
under external fraud.
 Employment practices and workplace safety – Non-compliance to
employment or health-and-safety laws and regulations are grave operational
hazards in any organization.
  Incompetent maintenance of employee relations takes a toll on employees,
claiming their well-deserved compensation and benefits. Unethical
termination criteria and discrimination are other operational risks that
subject institutions to serious financial and reputational damage.

 Clients, products, & business practice – Organizations fail to meet

promises made to their clients as a result of unintended circumstances rising
from negligent practices. Privacy and fiduciary breaches, misuse of
confidential information, suitability issues, market manipulation, money
laundering, unlicensed activities and product defects are very common
practices that lead companies to face lawsuits. There are many intentional
and unintentional malpractices exercised in the business world.
Entrepreneurs should learn the do’s and don’ts before starting up.
 Damage to physical assets – These are losses incurred by damages caused
to physical assets due to natural disasters or other events like terrorism and
vandalism. Rapid and unexpected changes in climatic conditions have been
a constant cause of concern in the business world for more than a decade in
recent history.
 Business disruption and systems failures – Supply-chain disruptions and
business continuity have always been a big challenge for banks.
System failures (hardware or software), disruption in telecommunication,
and power failure can all result in interrupted business and financial loss.
 Execution, delivery, & process management – Failure in delivery,
transaction or process management is an operational risk that has the
potential to bring loss to a business.Errors in data entry, miscommunication,
deadline misses, accounting errors, inaccurate reports, incorrect client
records, negligent loss of client assets and vendor disputes are operational
risk events that could bring about legal threats to the organization.

Significant causes for operational risks?

Operational risk management has become even more prominent over the past few
years. Financial institutions, using the latest financial software technology, have
grown tremendously in size, and are engaged in developing multi-structured and
multi-layered products and services. This has made the overall operations within
these institutions very complex and difficult to handle. This environment has led to
a significant increase in several kinds of risk. There are both internal and external
contributing factors.
 Internal Factors
Inadequate processes, failure of existing systems, inefficient hardware and server
maintenance contribute to banking operations being adversely affected. The onset
of manual errors and erroneous communication also occurs as a result of a huge
workorce.

 External Factors
External factors such as natural disasters, political upheavals, weak financial
policies of the state, and criminal fraud have only compounded operational risks.

What is required to counter operational risks?

The implementation of a robust automated solution and the development of a well-

defined operational risk management policy that can identify, monitor, assess and
eliminate, if not reduce, all potential risks. Strong internal controls, incident and
event tracking, risk profiling, use of automated e-mail alerts, and notifications are
some of the key features of a sound operational risk management solution.

Methods for calculating operational risk capital

Basel II and various supervisory bodies of the countries have prescribed various soundness
standards for operational risk management for banks and similar financial institutions. To
complement these standards, Basel II has given guidance to 3 broad methods of capital
calculation for operational risk:

 Basic Indicator Approach – based on annual revenue of the Financial Institution

 Standardized Approach – based on annual revenue of each of the broad business lines
of the Financial Institution
 Advanced Measurement Approaches – based on the internally developed risk
measurement framework of the bank adhering to the standards prescribed (methods
include IMA, LDA, Scenario-based, Scorecard etc.)
The operational risk management framework should include identification, measurement,
monitoring, reporting, control and mitigation frameworks for operational risk.
There are a number of methodologies to choose from when modeling operational risk, each
with its advantages and target applications. The ultimate choice of the
methodology/methodologies to use in your institution depends on a number of factors,
including:

 Time sensitivity for analysis;

 Resources desired and/or available for the task;
 Approaches used for other risk measures;
 Expected use of results (e.g., allocating capital to business units, prioritizing control
improvement projects, satisfying regulators that your institution is measuring risk,
providing an incentive for better management of operational risk, etc.);
 Senior management understanding and commitment; and
 Existing complementary processes, such as self-assessment[10]

Basic indicator approach

The basic approach or basic indicator approach is a set of operational risk measurement

techniques proposed under Basel II capital adequacy rules for banking institutions.
Basel II requires all banking institutions to set aside capital for operational risk. Basic
indicator approach is much simpler compared to the alternative approaches (i.e. standardized
approach (operational risk) and advanced measurement approach) and thus has been
recommended for banks without significant international operations.
Based on the original Basel Accord, banks using the basic indicator approach must hold
capital for operational risk equal to the average over the previous three years of a fixed
percentage of positive annual gross income. Figures for any year in which annual gross
income is negative or zero should be excluded from both the numerator and denominator
when calculating the average. A standard deviation is commonly also taken.
The fixed percentage 'alpha' is typically 15 percent of annual gross income
Reserve Bank has proposed that, at the minimum, all banks in India should adopt this
approach while computing capital for operational risk while implementing Basel II. Under
the Basic Indicator Approach, banks have to hold capital for operational risk equal to a fixed
percentage (alpha) of a single indicator which has currently been proposed to be “gross
income”. This approach is available for all banks irrespective of their level of sophistication.

The charge may be expressed as follows:

KBIA = [ ∑ (GI*α) ]/n,

Where KBIA = the capital charge under the Basic Indicator Approach.

GI = annual gross income, where positive, over the previous three years

α = 15% set by the Committee, relating the industry-wide level of required capital to
the industry-wide level of the indicator.

n = number of the previous three years for which gross income is positive.

The Basel Committee has defined gross income as net interest income and has allowed each
relevant national supervisor to define gross income in accordance with the prevailing
accounting practices. Accordingly, gross income will be computed for this purpose as defined
by the Reserve Bank of India for implementation of the new capital adequacy framework.
Standardized approach (operational risk)

In the context of operational risk, the standardized approach or standardised approach is

a set of operational risk measurement techniques proposed under Basel II capital adequacy
rules for banking institutions.
Basel II requires all banking institutions to set aside capital for operational risk. Standardized
approach falls between basic indicator approach and advanced measurement approach in
terms of degree of complexity.
Based on the original Basel Accord, under the Standardised Approach, banks’ activities are
divided into eight business lines: corporate finance, trading & sales, retail
banking, commercial banking, payment & settlement, agency services, asset management,
and retail brokerage. Within each business line, gross income is a broad indicator that serves
as a proxy for the scale of business operations and thus the likely scale of operational risk
exposure within each of these business lines. The capital charge for each business line is
calculated by multiplying gross income by a factor (denoted beta) assigned to that business
line. Beta serves as a proxy for the industry-wide relationship between the operational risk
loss experience for a given business line and the aggregate level of gross income for that
business line.

Business Line Beta Factor

Corporate finance 18%

Trading and sales 18%

Retail banking 12%

Commercial banking 15%

Payment and
18%
settlement

Agency services 15%

 Business Line Beta Factor

Asset Management 12%

Retail Brokerage 12%

The total capital charge is calculated as the three-year average of the simple summation of the
regulatory capital charges across each of the business lines in each year. In any given year,
negative capital charges (resulting from negative gross income) in any business line may
offset positive capital charges in other business lines without limit.
In order to qualify for use of the standardised approach, a bank must satisfy its regulator that,
at a minimum:

 Its board of directors and senior management, as appropriate, are actively involved in
the oversight of the operational risk management framework;
 It has an operational risk management system that is conceptually sound and is
implemented with integrity; and
 It has sufficient resources in the use of the approach in the major business lines as
well as the control and audit areas.
On March 4, 2016, the Basel Committee on Banking Supervision finally updated its proposal
for calculating operational risk capital, introducing the Standardized Measurement Approach
(“SMA”). Building upon its 2014 version, the SMA would not only replace the existing
standardized approaches, but also the Advanced Measurement Approach. Under the SMA,
regulatory capital levels will be determined using a simple formulaic method which facilitates
comparability across the industry.[1]

Advanced measurement approach

Advanced measurement approaches (AMA) is one of three possible operational
risk methods that can be used under Basel II by a bank or other financial institution. The
other two are the Basic Indicator Approach and the Standardised Approach. The methods (or
approaches) increase in sophistication and risk sensitivity with AMA being the most
advanced of the three.
Under AMA the banks are allowed to develop their own empirical model to quantify required
capital for operational risk. Banks can use this approach only subject to approval from their
local regulators. Once a bank has been approved to adopt AMA, it cannot revert to a simpler
approach without supervisory approval.
Also, according to section 664 of original Basel Accord, in order to qualify for use of the
AMA a bank must satisfy its supervisor that, at a minimum:

 Its board of directors and senior management, as appropriate, are actively involved in
the oversight of the operational risk management framework;
 It has an operational risk management system that is conceptually sound and is
implemented with integrity; and
 It has sufficient resources in the use of the approach in the major business lines as
well as the control and audit areas.

Contents

The four data elements

According to the BCBS Supervisory Guidelines, an AMA framework must include the use of
four data elements: (i) Internal loss data (ILD),
(ii) External data (ED),
(iii) Scenario analysis (SBA), and
(iv) Business environment and internal control factors (BEICFs).

Loss distribution approach

While AMA does not specify the use of any particular modeling technique, one of the most
common approaches taken in the banking industry is the loss distribution approach (LDA).
With LDA, a bank first segments operational losses into homogeneous segments, called units
of measure (UoMs). For each unit of measure, the bank then constructs a loss distribution that
represents its expectation of total losses that can materialize in a one-year horizon. Given that
data sufficiency is a major challenge for the industry, annual loss distribution cannot be built
directly using annual loss figures. Instead, a bank will develop a frequency distribution that
describes the number of loss events in a given year, and a severity distribution that describes
the loss amount of a single loss event. The frequency and severity distributions are assumed
to be independent. The convolution of these two distributions then give rise to the (annual)
loss distribution.[1][2][3]
THE 7 – STEP APPROACH TO MITIGATE OPERATIONAL RISK
MANAGEMENT

Operational risks impact the reputation and financial stability of a business

significantly. A lack of strong risk mitigation strategies results in various
operational failures, leading to crises in organizational management. That is
why many businesses have started procuring significant resources to design
a more robust risk-management framework.
Contemporary businesses are particularly keen to develop business
strategies that align with risk evolution. Characteristically, the process
begins with assessment of factors that can spring uncertainties, which also
impact existing and future business objectives.
Organizations need to ensure that effective controls exist at the first, second
and third risk-evolution stages. The earlier the controls are established in the
risk journey, the more effective the risk detection and mitigation mechanism
will be.Predominantly, 
operational risks are best discovered, controlled and mitigated using a
seven-step approach. It supports multiple facets, and has the ability to
alleviate numerous risks concurrently.

Step One – Task segregation

Effective segregation of tasks and duties reduces internal theft and risks
related to fraud. This prevents one individual from taking advantage of the
numerous aspects of transactions and business processes or practices.

Step Two – Curtailing complexities in business processes

Reducing complexity in different business processes radically mitigates
operational risks. Organizations can achieve that by curtailing manual
activities and the number of people and exceptions that rise during the
implementation of business processes.

Step Three – Reinforcing organizational ethics

Creating a strong ethical compass within the organization is highly effective
in mitigating operational risks management. Organizational ethics can be
reinforced by combining personal values and principles of the workforce with
the ideology of the organization.

Step Four – The right people for the right job

Having the right people in the right jobs can reduce issues pertaining to
business process execution and skill and technology usage. This also results
in appropriate workforce utilization, adherence to timelines, enhanced
quality, and fewer errors and process breakdowns.
Step Five – Monitoring and evaluations at regular intervals
Business processes are more effective with well-designed performance
indicators in place. Key Performance Indicators (KPIs) are critical for timely
detection and mitigation of risks, provided they are continuously monitored
and reviewed. This helps to identify discrepancies proactively and manage
them accordingly.

Step Six – Periodic risk assessment

Periodic assessments of all facets of operational risks bring more relief to
organizational management. It is imperative to be risk-ready by gauging
regulatory obligations, IT assets, skills, competencies, processes and
business decisions.

Step Seven – Look back and learn

Risk incidents and various remedial activities employed in the past make way
for some of the most effective strategies to counter future risks. Previous risk
occurrences help to implementing a stronger, proactive operational risk
management framework. It also supports real-time amendments that suit the
current operating scenario.
The critical task at hand is how organizations can implement the seven steps
for a successful risk management program. A corporate governance, risk and
compliance (GRC) platform enabled by technology can effectively support
the implementation of the 7-step approach to operational risk management.